Computerworld

Govt calls in AFP over Medicare data sale

A journalist has been able to purchase his own Medicare details from a ‘darknet trader’

The government has said that the Australian Federal Police will investigate an illicit service that boasts it can provide the Medicare number of any individual for under $30.

Guardian journalist Paul Farrell reported this morning that he had been able to purchase his own Medicare number from a “darknet trader”.

Farrell purchased the data from a service that dubs itself “the Medicare machine” for 0.0089 bitcoin (less than $30). The service requires the first and last name of an individual and their date of birth.

The listing on the darkweb site currently says that 75 Medicare numbers have been sold since October 2016. However, the vendor's description indicates that he or she may have offered a similar service previously.

“I'M BAAAACCK! I see you guys missed me a lot more than what the Commonwealth did,” the listing states.

“Many thanks to all of you for your kind words of encouragement during the outage, much appreciated. So much so that I've been slaving away in the dank corner of a Northern Siberian Yeti cave just to bring it back. Well, good news, it is back. Exploiting a vulnerability which has a much more solid foundation which means not only will it be a lot faster and easier for myself, but it will be here to stay.”

“Purchase this listing and leave the first and last name, and DOB of any Australian citizen, and you will receive their Medicare Patient details in full,” the listing states.

Human services minister Alan Tudge said that the claims in the Guardian “are being taken seriously by the government and are under investigation.”

“I have received assurance that the information obtained by the journalist was not sufficient to access any personal health record,” Tudge said.

“The only information claimed to be supplied by the site was the Medicare card number. The journalist was asked to provide his own name and date of birth in order to obtain the Medicare card number.”

“Any apparent unauthorised access to Medicare card numbers is nevertheless of great concern.”

The minister said that “investigations into activities on the dark web occur continually”.

“The security of personal data is an extremely serious matter. Thorough investigations are conducted whenever claims such as this are made,” Tudge said.

Medicare data was at the centre of an unrelated privacy incident last year after the Department of Health released improperly anonymised data sets.